On 07/04/14 09:57 -0300, Rogério Augusto Rondini wrote:
I need to implement password sync between AD and OpenLDAP using an IDM tool.
I want to know how to capture clear text password in OpenLDAP before encryption so that I can sync with AD and potentially with others user repositories.
You can capture cleartext passwords using the libsasl 'auto_transition' option, although that requires a specific usage scenario. You'd need to be authenticating against slapd using SASL LOGIN or PLAIN (or perhaps sasl pass-through) with a saslauthd daemon authenticating against AD. Like this in your sasl slapd.conf config:
pwcheck_method: saslauthd mech_list: plain login auto_transition: yes
Your saslauthd daemon would need to use the ldap or kerberos backends to authenticate against AD.
The clear text password should get stored into userPassword by way of the slapd auxprop plugin.